Gearing up to implement effective risk management

While SAM applies to insurance companies only and will not be directly applied to underwriting management agencies (UMAs) or brokers, insurers that embrace outsourced business models such as these, need to provide for the fact that the outsourced entities they deal with, will contribute materially to the nature and magnitude of the risks they face.

SAM will be passed on in various forms from insurers to their business partners. As such, it is in the insurers’ best interest to implement good risk management practices in their own business, and to encourage their business partners to do the same.

In doing so, insurers will be able to successfully identify, manage and treat specific risks attached to specific activities across specific business portfolios, and add maximum sustainable value to the activities of their outsourced business partners, and their own organisation as a whole.

Defined as a risk incurred by an organisation's internal activities, operational risk is the broad discipline focusing on the risks arising from the people, systems and processes through which a company operates. It also incorporates other classes of risk such as fraud, legal, technology, physical or environmental and human error risks, which is probably one of the biggest risks all companies face.

As such, operational risk in outsourced business partners’ businesses is very much a reality, and should be treated as a risk by and for insurers.

The actual size of your outsourced partner’s small company may very well be an operational risk. The reason for this is that in a small company, a handful of employees usually perform a number of different functions, and if duties are not properly segregated, it may have a negative impact on their employees’ capacity, workload and delivery, oversight and authorisation levels.

One person performing various key tasks could severely compromise the day to day running of your outsourced partner’s business, especially if that person is absent for prolonged periods of time. Succession planning and the transfer of skills and knowledge from one employee to another should therefore be encouraged as an essential risk management tool.

Another challenge inherent in some small businesses, is that sophisticated IT systems with strong levels of built-in internal controls do not readily exist due to insufficient scales to justify the cost thereof. Accordingly, manual systems or less sophisticated systems, without strong levels of internal controls are often used, which may increase operational risk.

However, technology should be seen as a potential solution to reduce costs and errors, maximise efficiencies, and in some instances, facilitate growth and differentiation. Fraud can also be prevented with a system that has good preventative controls.

The effective documentation and implementation of policies and processes, should also be enforced. If successful, businesses can ensure that there is both consistency and continuity in the performance of duties.

It is also very much a reality that many small companies do not have a business continuity plan, which is critical in the event the company suffers a misfortune. Insurance companies rely on UMAs and brokerages for data and reports. If these cannot be produced, insurance companies will not be able to service the insured, which may lead to a breach in the agreement and also a breach in terms of the Short-Term Insurance Act. To have an effective business continuity plan in place, that has been tested for simulated disasters, will minimise the above-mentioned risks.

Given the above, it is clear that insurers need to work closely with their business partners to ensure the implementation of effective risk management tools, as this will ultimately benefit all parties concerned, including policyholders.